If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

What You Donít See On Your Hard Drive

I have been working on a paper dealing with how data is stored, deleted, and recovered on hard drives for the last few weeks. In the course of my research I found this paper which covers this subject more eloquently than I could ever hope for.

Just because you don't see it doesn't mean it's not there. By having a knowledge of something that exists, but is hidden from your sight, will give you an advantage because you know it's there. In the security field it is very important to keep up to date on the latest information available. If you don't, someone will take advantage of your ignorance. Things are always changing and becoming bigger, better, faster and sometimes sneakier. A few years back in my Information Technology career I made the change from Desktop Support to the Information Security Group. Since then I have learned a tremendous amount about security. I have learned that you have to train yourself to think differently about things, add a little paranoia. This paper will address two security concerns that I found very interesting. They both have to do with things that are not in plain sight. The first security concern covers the issue of retrieving data that has been deleted. So many people have no idea about data that is left behind when you delete files or fdisk and format your hard drive. The second issue deals with hidden access and control of your computer. I will look at what a rootkit is and look at the recent development of rootkits designed for Microsoft Windows operating systems.

If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.

good job man, thi is really an interesting subject i think, how computers store data and how they delete it, most people think when you delete something its not stll there, its gone, but in reality the computer marks it as free space and its still there, we learned this a few weeks ago in my OSs class.

A few weeks ago all my mp3's "magically" vanished. How? Not a clue. I checked my D drive, and sure enough, the amount of available space had increased dramatically. I checked all drives, folders, files, everything. No sign of them. I fired up Norton UnErase and it found them. Where? I don't have any idea. But it was wierd to see that the space the mp3's took up on my D drive WAS no longer there. They were on my system, but masked somehow.

Firestarter: from what you're describing, your mp3 files were indeed deleted*: the fact that the total free space increased reflects that. Notice that I said "deleted*" with an *: when you "delete" files, you basically just erease the "index" that says where the file is stored on the disc. The content of the file itself isn't ereased. Norton UnErase uses that fact to restore files that have been "deleted" but not overwritten yet: it just makes a new "index" for the file to be restored, and voila... This is how you were able to recover your mp3s...

Ammo

Hey, quickly reading the sans article, I notice they didn't mention NTFS hidden data streams which can also be used to hide data... Oddly they already add an article describing that though..! : http://rr.sans.org/threats/win_NTFS.php

A question then: You have a partitioned drive. C drive is 5G and D drive is 10G. You go to Kazaa and download 9.9G of mp3's on your D drive (this is a hypothetical situation). You write down a list of all these mp3's then delete them! Your PC says you have 10G of available space on your D drive again. Back to Kazaa you go and download another 9.9G of mp3's. Does this mean that your 10G D drive is actually holding 19.8G of mp3's? Or is the info from those origianl mp3's now actually overwritten and unable to be retrieved?

Your D drive would be holding all the new mp3s, having wiped the old ones to make space for the new ones. You would be unable to retrieve the old mp3s. The disk is physically unable to hold more than 10Gb of data.